archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

net/packet, wgengine{,/filter}: remove net/packet IPProto forwarding consts

Browse Source 
Only use the ones in types/ipproto now.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/1560/head
Brad Fitzpatrick 4 years ago
parent 01b90df2fa
commit 1eb95c7e32
13 changed files with 169 additions and 152 deletions
Show Stats Download Patch File Download Diff File

8
net/packet/icmp4.go
Unescape Escape View File

@ -4,7 +4,11 @@
package packet package packet
import "encoding/binary" import (
"encoding/binary"
"tailscale.com/types/ipproto"
)
// icmp4HeaderLength is the size of the ICMPv4 packet header, not // icmp4HeaderLength is the size of the ICMPv4 packet header, not
// including the outer IP layer or the variable "response data" // including the outer IP layer or the variable "response data"
@ -66,7 +70,7 @@ func (h ICMP4Header) Marshal(buf []byte) error {
return errLargePacket return errLargePacket
} }
// The caller does not need to set this. // The caller does not need to set this.
h.IPProto = ICMPv4 h.IPProto = ipproto.ICMPv4
buf[20] = uint8(h.Type) buf[20] = uint8(h.Type)
buf[21] = uint8(h.Code) buf[21] = uint8(h.Code)

86
net/packet/packet.go
Unescape Escape View File

@ -15,17 +15,7 @@ import (
"tailscale.com/types/strbuilder" "tailscale.com/types/strbuilder"
) )
const ( const unknown = ipproto.Unknown
Unknown = ipproto.Unknown
TCP = ipproto.TCP
UDP = ipproto.UDP
SCTP = ipproto.SCTP
IGMP = ipproto.IGMP
ICMPv4 = ipproto.ICMPv4
ICMPv6 = ipproto.ICMPv6
TSMP = ipproto.TSMP
Fragment = ipproto.Fragment
)
// RFC1858: prevent overlapping fragment attacks. // RFC1858: prevent overlapping fragment attacks.
const minFrag = 60 + 20 // max IPv4 header + basic TCP header const minFrag = 60 + 20 // max IPv4 header + basic TCP header
@ -113,7 +103,7 @@ func (q *Parsed) Decode(b []byte) {
if len(b) < 1 { if len(b) < 1 {
q.IPVersion = 0 q.IPVersion = 0
q.IPProto = Unknown q.IPProto = unknown
return return
} }
@ -125,7 +115,7 @@ func (q *Parsed) Decode(b []byte) {
q.decode6(b) q.decode6(b)
default: default:
q.IPVersion = 0 q.IPVersion = 0
q.IPProto = Unknown q.IPProto = unknown
} }
} }
@ -138,7 +128,7 @@ func (q *Parsed) StuffForTesting(len int) {
func (q *Parsed) decode4(b []byte) { func (q *Parsed) decode4(b []byte) {
if len(b) < ip4HeaderLength { if len(b) < ip4HeaderLength {
q.IPVersion = 0 q.IPVersion = 0
q.IPProto = Unknown q.IPProto = unknown
return return
} }
@ -147,7 +137,7 @@ func (q *Parsed) decode4(b []byte) {
q.length = int(binary.BigEndian.Uint16(b[2:4])) q.length = int(binary.BigEndian.Uint16(b[2:4]))
if len(b) < q.length { if len(b) < q.length {
// Packet was cut off before full IPv4 length. // Packet was cut off before full IPv4 length.
q.IPProto = Unknown q.IPProto = unknown
return return
} }
@ -158,7 +148,7 @@ func (q *Parsed) decode4(b []byte) {
q.subofs = int((b[0] & 0x0F) << 2) q.subofs = int((b[0] & 0x0F) << 2)
if q.subofs > q.length { if q.subofs > q.length {
// next-proto starts beyond end of packet. // next-proto starts beyond end of packet.
q.IPProto = Unknown q.IPProto = unknown
return return
} }
sub := b[q.subofs:] sub := b[q.subofs:]
@ -183,29 +173,29 @@ func (q *Parsed) decode4(b []byte) {
// This is the first fragment // This is the first fragment
if moreFrags && len(sub) < minFrag { if moreFrags && len(sub) < minFrag {
// Suspiciously short first fragment, dump it. // Suspiciously short first fragment, dump it.
q.IPProto = Unknown q.IPProto = unknown
return return
} }
// otherwise, this is either non-fragmented (the usual case) // otherwise, this is either non-fragmented (the usual case)
// or a big enough initial fragment that we can read the // or a big enough initial fragment that we can read the
// whole subprotocol header. // whole subprotocol header.
switch q.IPProto { switch q.IPProto {
case ICMPv4: case ipproto.ICMPv4:
if len(sub) < icmp4HeaderLength { if len(sub) < icmp4HeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = 0 q.Src.Port = 0
q.Dst.Port = 0 q.Dst.Port = 0
q.dataofs = q.subofs + icmp4HeaderLength q.dataofs = q.subofs + icmp4HeaderLength
return return
case IGMP: case ipproto.IGMP:
// Keep IPProto, but don't parse anything else // Keep IPProto, but don't parse anything else
// out. // out.
return return
case TCP: case ipproto.TCP:
if len(sub) < tcpHeaderLength { if len(sub) < tcpHeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = binary.BigEndian.Uint16(sub[0:2]) q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
@ -214,29 +204,29 @@ func (q *Parsed) decode4(b []byte) {
headerLength := (sub[12] & 0xF0) >> 2 headerLength := (sub[12] & 0xF0) >> 2
q.dataofs = q.subofs + int(headerLength) q.dataofs = q.subofs + int(headerLength)
return return
case UDP: case ipproto.UDP:
if len(sub) < udpHeaderLength { if len(sub) < udpHeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = binary.BigEndian.Uint16(sub[0:2]) q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
q.Dst.Port = binary.BigEndian.Uint16(sub[2:4]) q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
q.dataofs = q.subofs + udpHeaderLength q.dataofs = q.subofs + udpHeaderLength
return return
case SCTP: case ipproto.SCTP:
if len(sub) < sctpHeaderLength { if len(sub) < sctpHeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = binary.BigEndian.Uint16(sub[0:2]) q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
q.Dst.Port = binary.BigEndian.Uint16(sub[2:4]) q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
return return
case TSMP: case ipproto.TSMP:
// Inter-tailscale messages. // Inter-tailscale messages.
q.dataofs = q.subofs q.dataofs = q.subofs
return return
default: default:
q.IPProto = Unknown q.IPProto = unknown
return return
} }
} else { } else {
@ -244,7 +234,7 @@ func (q *Parsed) decode4(b []byte) {
if fragOfs < minFrag { if fragOfs < minFrag {
// First frag was suspiciously short, so we can't // First frag was suspiciously short, so we can't
// trust the followup either. // trust the followup either.
q.IPProto = Unknown q.IPProto = unknown
return return
} }
// otherwise, we have to permit the fragment to slide through. // otherwise, we have to permit the fragment to slide through.
@ -253,7 +243,7 @@ func (q *Parsed) decode4(b []byte) {
// but that would require statefulness. Anyway, receivers' // but that would require statefulness. Anyway, receivers'
// kernels know to drop fragments where the initial fragment // kernels know to drop fragments where the initial fragment
// doesn't arrive. // doesn't arrive.
q.IPProto = Fragment q.IPProto = ipproto.Fragment
return return
} }
} }
@ -261,7 +251,7 @@ func (q *Parsed) decode4(b []byte) {
func (q *Parsed) decode6(b []byte) { func (q *Parsed) decode6(b []byte) {
if len(b) < ip6HeaderLength { if len(b) < ip6HeaderLength {
q.IPVersion = 0 q.IPVersion = 0
q.IPProto = Unknown q.IPProto = unknown
return return
} }
@ -269,7 +259,7 @@ func (q *Parsed) decode6(b []byte) {
q.length = int(binary.BigEndian.Uint16(b[4:6])) + ip6HeaderLength q.length = int(binary.BigEndian.Uint16(b[4:6])) + ip6HeaderLength
if len(b) < q.length { if len(b) < q.length {
// Packet was cut off before the full IPv6 length. // Packet was cut off before the full IPv6 length.
q.IPProto = Unknown q.IPProto = unknown
return return
} }
@ -295,17 +285,17 @@ func (q *Parsed) decode6(b []byte) {
sub = sub[:len(sub):len(sub)] // help the compiler do bounds check elimination sub = sub[:len(sub):len(sub)] // help the compiler do bounds check elimination
switch q.IPProto { switch q.IPProto {
case ICMPv6: case ipproto.ICMPv6:
if len(sub) < icmp6HeaderLength { if len(sub) < icmp6HeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = 0 q.Src.Port = 0
q.Dst.Port = 0 q.Dst.Port = 0
q.dataofs = q.subofs + icmp6HeaderLength q.dataofs = q.subofs + icmp6HeaderLength
case TCP: case ipproto.TCP:
if len(sub) < tcpHeaderLength { if len(sub) < tcpHeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = binary.BigEndian.Uint16(sub[0:2]) q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
@ -314,28 +304,28 @@ func (q *Parsed) decode6(b []byte) {
headerLength := (sub[12] & 0xF0) >> 2 headerLength := (sub[12] & 0xF0) >> 2
q.dataofs = q.subofs + int(headerLength) q.dataofs = q.subofs + int(headerLength)
return return
case UDP: case ipproto.UDP:
if len(sub) < udpHeaderLength { if len(sub) < udpHeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = binary.BigEndian.Uint16(sub[0:2]) q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
q.Dst.Port = binary.BigEndian.Uint16(sub[2:4]) q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
q.dataofs = q.subofs + udpHeaderLength q.dataofs = q.subofs + udpHeaderLength
case SCTP: case ipproto.SCTP:
if len(sub) < sctpHeaderLength { if len(sub) < sctpHeaderLength {
q.IPProto = Unknown q.IPProto = unknown
return return
} }
q.Src.Port = binary.BigEndian.Uint16(sub[0:2]) q.Src.Port = binary.BigEndian.Uint16(sub[0:2])
q.Dst.Port = binary.BigEndian.Uint16(sub[2:4]) q.Dst.Port = binary.BigEndian.Uint16(sub[2:4])
return return
case TSMP: case ipproto.TSMP:
// Inter-tailscale messages. // Inter-tailscale messages.
q.dataofs = q.subofs q.dataofs = q.subofs
return return
default: default:
q.IPProto = Unknown q.IPProto = unknown
return return
} }
} }
@ -396,13 +386,13 @@ func (q *Parsed) IsTCPSyn() bool {
// IsError reports whether q is an ICMP "Error" packet. // IsError reports whether q is an ICMP "Error" packet.
func (q *Parsed) IsError() bool { func (q *Parsed) IsError() bool {
switch q.IPProto { switch q.IPProto {
case ICMPv4: case ipproto.ICMPv4:
if len(q.b) < q.subofs+8 { if len(q.b) < q.subofs+8 {
return false return false
} }
t := ICMP4Type(q.b[q.subofs]) t := ICMP4Type(q.b[q.subofs])
return t == ICMP4Unreachable || t == ICMP4TimeExceeded return t == ICMP4Unreachable || t == ICMP4TimeExceeded
case ICMPv6: case ipproto.ICMPv6:
if len(q.b) < q.subofs+8 { if len(q.b) < q.subofs+8 {
return false return false
} }
@ -416,9 +406,9 @@ func (q *Parsed) IsError() bool {
// IsEchoRequest reports whether q is an ICMP Echo Request. // IsEchoRequest reports whether q is an ICMP Echo Request.
func (q *Parsed) IsEchoRequest() bool { func (q *Parsed) IsEchoRequest() bool {
switch q.IPProto { switch q.IPProto {
case ICMPv4: case ipproto.ICMPv4:
return len(q.b) >= q.subofs+8 && ICMP4Type(q.b[q.subofs]) == ICMP4EchoRequest && ICMP4Code(q.b[q.subofs+1]) == ICMP4NoCode return len(q.b) >= q.subofs+8 && ICMP4Type(q.b[q.subofs]) == ICMP4EchoRequest && ICMP4Code(q.b[q.subofs+1]) == ICMP4NoCode
case ICMPv6: case ipproto.ICMPv6:
return len(q.b) >= q.subofs+8 && ICMP6Type(q.b[q.subofs]) == ICMP6EchoRequest && ICMP6Code(q.b[q.subofs+1]) == ICMP6NoCode return len(q.b) >= q.subofs+8 && ICMP6Type(q.b[q.subofs]) == ICMP6EchoRequest && ICMP6Code(q.b[q.subofs+1]) == ICMP6NoCode
default: default:
return false return false
@ -428,9 +418,9 @@ func (q *Parsed) IsEchoRequest() bool {
// IsEchoRequest reports whether q is an IPv4 ICMP Echo Response. // IsEchoRequest reports whether q is an IPv4 ICMP Echo Response.
func (q *Parsed) IsEchoResponse() bool { func (q *Parsed) IsEchoResponse() bool {
switch q.IPProto { switch q.IPProto {
case ICMPv4: case ipproto.ICMPv4:
return len(q.b) >= q.subofs+8 && ICMP4Type(q.b[q.subofs]) == ICMP4EchoReply && ICMP4Code(q.b[q.subofs+1]) == ICMP4NoCode return len(q.b) >= q.subofs+8 && ICMP4Type(q.b[q.subofs]) == ICMP4EchoReply && ICMP4Code(q.b[q.subofs+1]) == ICMP4NoCode
case ICMPv6: case ipproto.ICMPv6:
return len(q.b) >= q.subofs+8 && ICMP6Type(q.b[q.subofs]) == ICMP6EchoReply && ICMP6Code(q.b[q.subofs+1]) == ICMP6NoCode return len(q.b) >= q.subofs+8 && ICMP6Type(q.b[q.subofs]) == ICMP6EchoReply && ICMP6Code(q.b[q.subofs+1]) == ICMP6NoCode
default: default:
return false return false

13
net/packet/packet_test.go
Unescape Escape View File

@ -10,6 +10,19 @@ import (
"testing" "testing"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/types/ipproto"
)
const (
Unknown = ipproto.Unknown
TCP = ipproto.TCP
UDP = ipproto.UDP
SCTP = ipproto.SCTP
IGMP = ipproto.IGMP
ICMPv4 = ipproto.ICMPv4
ICMPv6 = ipproto.ICMPv6
TSMP = ipproto.TSMP
Fragment = ipproto.Fragment
) )
func mustIPPort(s string) netaddr.IPPort { func mustIPPort(s string) netaddr.IPPort {

4
net/packet/tsmp.go
Unescape Escape View File

@ -139,7 +139,7 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
} }
if h.Src.IP.Is4() { if h.Src.IP.Is4() {
iph := IP4Header{ iph := IP4Header{
IPProto: TSMP, IPProto: ipproto.TSMP,
Src: h.IPSrc, Src: h.IPSrc,
Dst: h.IPDst, Dst: h.IPDst,
} }
@ -147,7 +147,7 @@ func (h TailscaleRejectedHeader) Marshal(buf []byte) error {
buf = buf[ip4HeaderLength:] buf = buf[ip4HeaderLength:]
} else if h.Src.IP.Is6() { } else if h.Src.IP.Is6() {
iph := IP6Header{ iph := IP6Header{
IPProto: TSMP, IPProto: ipproto.TSMP,
Src: h.IPSrc, Src: h.IPSrc,
Dst: h.IPDst, Dst: h.IPDst,
} }

8
net/packet/udp4.go
Unescape Escape View File

@ -4,7 +4,11 @@
package packet package packet
import "encoding/binary" import (
"encoding/binary"
"tailscale.com/types/ipproto"
)
// udpHeaderLength is the size of the UDP packet header, not including // udpHeaderLength is the size of the UDP packet header, not including
// the outer IP header. // the outer IP header.
@ -31,7 +35,7 @@ func (h UDP4Header) Marshal(buf []byte) error {
return errLargePacket return errLargePacket
} }
// The caller does not need to set this. // The caller does not need to set this.
h.IPProto = UDP h.IPProto = ipproto.UDP
length := len(buf) - h.IP4Header.Len() length := len(buf) - h.IP4Header.Len()
binary.BigEndian.PutUint16(buf[20:22], h.SrcPort) binary.BigEndian.PutUint16(buf[20:22], h.SrcPort)

8
net/packet/udp6.go
Unescape Escape View File

@ -4,7 +4,11 @@
package packet package packet
import "encoding/binary" import (
"encoding/binary"
"tailscale.com/types/ipproto"
)
// UDP6Header is an IPv6+UDP header. // UDP6Header is an IPv6+UDP header.
type UDP6Header struct { type UDP6Header struct {
@ -27,7 +31,7 @@ func (h UDP6Header) Marshal(buf []byte) error {
return errLargePacket return errLargePacket
} }
// The caller does not need to set this. // The caller does not need to set this.
h.IPProto = UDP h.IPProto = ipproto.UDP
length := len(buf) - h.IP6Header.Len() length := len(buf) - h.IP6Header.Len()
binary.BigEndian.PutUint16(buf[40:42], h.SrcPort) binary.BigEndian.PutUint16(buf[40:42], h.SrcPort)

24
wgengine/filter/filter.go
Unescape Escape View File

@ -268,7 +268,7 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
} }
pkt.Src.IP = srcIP pkt.Src.IP = srcIP
pkt.Dst.IP = dstIP pkt.Dst.IP = dstIP
pkt.IPProto = packet.TCP pkt.IPProto = ipproto.TCP
pkt.TCPFlags = packet.TCPSyn pkt.TCPFlags = packet.TCPSyn
pkt.Src.Port = 0 pkt.Src.Port = 0
pkt.Dst.Port = dstPort pkt.Dst.Port = dstPort
@ -326,7 +326,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
} }
switch q.IPProto { switch q.IPProto {
case packet.ICMPv4: case ipproto.ICMPv4:
if q.IsEchoResponse() || q.IsError() { if q.IsEchoResponse() || q.IsError() {
// ICMP responses are allowed. // ICMP responses are allowed.
// TODO(apenwarr): consider using conntrack state. // TODO(apenwarr): consider using conntrack state.
@ -338,7 +338,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
// If any port is open to an IP, allow ICMP to it. // If any port is open to an IP, allow ICMP to it.
return Accept, "icmp ok" return Accept, "icmp ok"
} }
case packet.TCP: case ipproto.TCP:
// For TCP, we want to allow *outgoing* connections, // For TCP, we want to allow *outgoing* connections,
// which means we want to allow return packets on those // which means we want to allow return packets on those
// connections. To make this restriction work, we need to // connections. To make this restriction work, we need to
@ -353,7 +353,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
if f.matches4.match(q) { if f.matches4.match(q) {
return Accept, "tcp ok" return Accept, "tcp ok"
} }
case packet.UDP, packet.SCTP: case ipproto.UDP, ipproto.SCTP:
t := flowtrack.Tuple{Proto: q.IPProto, Src: q.Src, Dst: q.Dst} t := flowtrack.Tuple{Proto: q.IPProto, Src: q.Src, Dst: q.Dst}
f.state.mu.Lock() f.state.mu.Lock()
@ -366,7 +366,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
if f.matches4.match(q) { if f.matches4.match(q) {
return Accept, "ok" return Accept, "ok"
} }
case packet.TSMP: case ipproto.TSMP:
return Accept, "tsmp ok" return Accept, "tsmp ok"
default: default:
return Drop, "Unknown proto" return Drop, "Unknown proto"
@ -383,7 +383,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
} }
switch q.IPProto { switch q.IPProto {
case packet.ICMPv6: case ipproto.ICMPv6:
if q.IsEchoResponse() || q.IsError() { if q.IsEchoResponse() || q.IsError() {
// ICMP responses are allowed. // ICMP responses are allowed.
// TODO(apenwarr): consider using conntrack state. // TODO(apenwarr): consider using conntrack state.
@ -395,7 +395,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
// If any port is open to an IP, allow ICMP to it. // If any port is open to an IP, allow ICMP to it.
return Accept, "icmp ok" return Accept, "icmp ok"
} }
case packet.TCP: case ipproto.TCP:
// For TCP, we want to allow *outgoing* connections, // For TCP, we want to allow *outgoing* connections,
// which means we want to allow return packets on those // which means we want to allow return packets on those
// connections. To make this restriction work, we need to // connections. To make this restriction work, we need to
@ -404,13 +404,13 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
// can't be initiated without first sending a SYN. // can't be initiated without first sending a SYN.
// It happens to also be much faster. // It happens to also be much faster.
// TODO(apenwarr): Skip the rest of decoding in this path? // TODO(apenwarr): Skip the rest of decoding in this path?
if q.IPProto == packet.TCP && !q.IsTCPSyn() { if q.IPProto == ipproto.TCP && !q.IsTCPSyn() {
return Accept, "tcp non-syn" return Accept, "tcp non-syn"
} }
if f.matches6.match(q) { if f.matches6.match(q) {
return Accept, "tcp ok" return Accept, "tcp ok"
} }
case packet.UDP, packet.SCTP: case ipproto.UDP, ipproto.SCTP:
t := flowtrack.Tuple{Proto: q.IPProto, Src: q.Src, Dst: q.Dst} t := flowtrack.Tuple{Proto: q.IPProto, Src: q.Src, Dst: q.Dst}
f.state.mu.Lock() f.state.mu.Lock()
@ -488,11 +488,11 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
} }
switch q.IPProto { switch q.IPProto {
case packet.Unknown: case ipproto.Unknown:
// Unknown packets are dangerous; always drop them. // Unknown packets are dangerous; always drop them.
f.logRateLimit(rf, q, dir, Drop, "unknown") f.logRateLimit(rf, q, dir, Drop, "unknown")
return Drop return Drop
case packet.Fragment: case ipproto.Fragment:
// Fragments after the first always need to be passed through. // Fragments after the first always need to be passed through.
// Very small fragments are considered Junk by Parsed. // Very small fragments are considered Junk by Parsed.
f.logRateLimit(rf, q, dir, Accept, "fragment") f.logRateLimit(rf, q, dir, Accept, "fragment")
@ -516,5 +516,5 @@ func omitDropLogging(p *packet.Parsed, dir direction) bool {
return false return false
} }
return p.Dst.IP.IsMulticast() || (p.Dst.IP.IsLinkLocalUnicast() && p.Dst.IP != gcpDNSAddr) || p.IPProto == packet.IGMP return p.Dst.IP.IsMulticast() || (p.Dst.IP.IsLinkLocalUnicast() && p.Dst.IP != gcpDNSAddr) || p.IPProto == ipproto.IGMP
} }

144
wgengine/filter/filter_test.go
Unescape Escape View File

@ -35,7 +35,7 @@ func newFilter(logf logger.Logf) *Filter {
} }
matches := []Match{ matches := []Match{
m(nets("8.1.1.1", "8.2.2.2"), netports("1.2.3.4:22", "5.6.7.8:23-24")), m(nets("8.1.1.1", "8.2.2.2"), netports("1.2.3.4:22", "5.6.7.8:23-24")),
m(nets("9.1.1.1", "9.2.2.2"), netports("1.2.3.4:22", "5.6.7.8:23-24"), packet.SCTP), m(nets("9.1.1.1", "9.2.2.2"), netports("1.2.3.4:22", "5.6.7.8:23-24"), ipproto.SCTP),
m(nets("8.1.1.1", "8.2.2.2"), netports("5.6.7.8:27-28")), m(nets("8.1.1.1", "8.2.2.2"), netports("5.6.7.8:27-28")),
m(nets("2.2.2.2"), netports("8.1.1.1:22")), m(nets("2.2.2.2"), netports("8.1.1.1:22")),
m(nets("0.0.0.0/0"), netports("100.122.98.50:*")), m(nets("0.0.0.0/0"), netports("100.122.98.50:*")),
@ -66,48 +66,48 @@ func TestFilter(t *testing.T) {
} }
tests := []InOut{ tests := []InOut{
// allow 8.1.1.1 => 1.2.3.4:22 // allow 8.1.1.1 => 1.2.3.4:22
{Accept, parsed(packet.TCP, "8.1.1.1", "1.2.3.4", 999, 22)}, {Accept, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 999, 22)},
{Accept, parsed(packet.ICMPv4, "8.1.1.1", "1.2.3.4", 0, 0)}, {Accept, parsed(ipproto.ICMPv4, "8.1.1.1", "1.2.3.4", 0, 0)},
{Drop, parsed(packet.TCP, "8.1.1.1", "1.2.3.4", 0, 0)}, {Drop, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 0)},
{Accept, parsed(packet.TCP, "8.1.1.1", "1.2.3.4", 0, 22)}, {Accept, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 22)},
{Drop, parsed(packet.TCP, "8.1.1.1", "1.2.3.4", 0, 21)}, {Drop, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 21)},
// allow 8.2.2.2. => 1.2.3.4:22 // allow 8.2.2.2. => 1.2.3.4:22
{Accept, parsed(packet.TCP, "8.2.2.2", "1.2.3.4", 0, 22)}, {Accept, parsed(ipproto.TCP, "8.2.2.2", "1.2.3.4", 0, 22)},
{Drop, parsed(packet.TCP, "8.2.2.2", "1.2.3.4", 0, 23)}, {Drop, parsed(ipproto.TCP, "8.2.2.2", "1.2.3.4", 0, 23)},
{Drop, parsed(packet.TCP, "8.3.3.3", "1.2.3.4", 0, 22)}, {Drop, parsed(ipproto.TCP, "8.3.3.3", "1.2.3.4", 0, 22)},
// allow 8.1.1.1 => 5.6.7.8:23-24 // allow 8.1.1.1 => 5.6.7.8:23-24
{Accept, parsed(packet.TCP, "8.1.1.1", "5.6.7.8", 0, 23)}, {Accept, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 23)},
{Accept, parsed(packet.TCP, "8.1.1.1", "5.6.7.8", 0, 24)}, {Accept, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 24)},
{Drop, parsed(packet.TCP, "8.1.1.3", "5.6.7.8", 0, 24)}, {Drop, parsed(ipproto.TCP, "8.1.1.3", "5.6.7.8", 0, 24)},
{Drop, parsed(packet.TCP, "8.1.1.1", "5.6.7.8", 0, 22)}, {Drop, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 22)},
// allow * => *:443 // allow * => *:443
{Accept, parsed(packet.TCP, "17.34.51.68", "8.1.34.51", 0, 443)}, {Accept, parsed(ipproto.TCP, "17.34.51.68", "8.1.34.51", 0, 443)},
{Drop, parsed(packet.TCP, "17.34.51.68", "8.1.34.51", 0, 444)}, {Drop, parsed(ipproto.TCP, "17.34.51.68", "8.1.34.51", 0, 444)},
// allow * => 100.122.98.50:* // allow * => 100.122.98.50:*
{Accept, parsed(packet.TCP, "17.34.51.68", "100.122.98.50", 0, 999)}, {Accept, parsed(ipproto.TCP, "17.34.51.68", "100.122.98.50", 0, 999)},
{Accept, parsed(packet.TCP, "17.34.51.68", "100.122.98.50", 0, 0)}, {Accept, parsed(ipproto.TCP, "17.34.51.68", "100.122.98.50", 0, 0)},
// allow ::1, ::2 => [2001::1]:22 // allow ::1, ::2 => [2001::1]:22
{Accept, parsed(packet.TCP, "::1", "2001::1", 0, 22)}, {Accept, parsed(ipproto.TCP, "::1", "2001::1", 0, 22)},
{Accept, parsed(packet.ICMPv6, "::1", "2001::1", 0, 0)}, {Accept, parsed(ipproto.ICMPv6, "::1", "2001::1", 0, 0)},
{Accept, parsed(packet.TCP, "::2", "2001::1", 0, 22)}, {Accept, parsed(ipproto.TCP, "::2", "2001::1", 0, 22)},
{Accept, parsed(packet.TCP, "::2", "2001::2", 0, 22)}, {Accept, parsed(ipproto.TCP, "::2", "2001::2", 0, 22)},
{Drop, parsed(packet.TCP, "::1", "2001::1", 0, 23)}, {Drop, parsed(ipproto.TCP, "::1", "2001::1", 0, 23)},
{Drop, parsed(packet.TCP, "::1", "2001::3", 0, 22)}, {Drop, parsed(ipproto.TCP, "::1", "2001::3", 0, 22)},
{Drop, parsed(packet.TCP, "::3", "2001::1", 0, 22)}, {Drop, parsed(ipproto.TCP, "::3", "2001::1", 0, 22)},
// allow * => *:443 // allow * => *:443
{Accept, parsed(packet.TCP, "::1", "2001::1", 0, 443)}, {Accept, parsed(ipproto.TCP, "::1", "2001::1", 0, 443)},
{Drop, parsed(packet.TCP, "::1", "2001::1", 0, 444)}, {Drop, parsed(ipproto.TCP, "::1", "2001::1", 0, 444)},
// localNets prefilter - accepted by policy filter, but // localNets prefilter - accepted by policy filter, but
// unexpected dst IP. // unexpected dst IP.
{Drop, parsed(packet.TCP, "8.1.1.1", "16.32.48.64", 0, 443)}, {Drop, parsed(ipproto.TCP, "8.1.1.1", "16.32.48.64", 0, 443)},
{Drop, parsed(packet.TCP, "1::", "2602::1", 0, 443)}, {Drop, parsed(ipproto.TCP, "1::", "2602::1", 0, 443)},
// Don't allow protocols not specified by filter // Don't allow protocols not specified by filter
{Drop, parsed(packet.SCTP, "8.1.1.1", "1.2.3.4", 999, 22)}, {Drop, parsed(ipproto.SCTP, "8.1.1.1", "1.2.3.4", 999, 22)},
// But SCTP is allowed for 9.1.1.1 // But SCTP is allowed for 9.1.1.1
{Accept, parsed(packet.SCTP, "9.1.1.1", "1.2.3.4", 999, 22)}, {Accept, parsed(ipproto.SCTP, "9.1.1.1", "1.2.3.4", 999, 22)},
} }
for i, test := range tests { for i, test := range tests {
aclFunc := acl.runIn4 aclFunc := acl.runIn4
@ -117,7 +117,7 @@ func TestFilter(t *testing.T) {
if got, why := aclFunc(&test.p); test.want != got { if got, why := aclFunc(&test.p); test.want != got {
t.Errorf("#%d runIn got=%v want=%v why=%q packet:%v", i, got, test.want, why, test.p) t.Errorf("#%d runIn got=%v want=%v why=%q packet:%v", i, got, test.want, why, test.p)
} }
if test.p.IPProto == packet.TCP { if test.p.IPProto == ipproto.TCP {
var got Response var got Response
if test.p.IPVersion == 4 { if test.p.IPVersion == 4 {
got = acl.CheckTCP(test.p.Src.IP, test.p.Dst.IP, test.p.Dst.Port) got = acl.CheckTCP(test.p.Src.IP, test.p.Dst.IP, test.p.Dst.Port)
@ -128,7 +128,7 @@ func TestFilter(t *testing.T) {
t.Errorf("#%d CheckTCP got=%v want=%v packet:%v", i, got, test.want, test.p) t.Errorf("#%d CheckTCP got=%v want=%v packet:%v", i, got, test.want, test.p)
} }
// TCP and UDP are treated equivalently in the filter - verify that. // TCP and UDP are treated equivalently in the filter - verify that.
test.p.IPProto = packet.UDP test.p.IPProto = ipproto.UDP
if got, why := aclFunc(&test.p); test.want != got { if got, why := aclFunc(&test.p); test.want != got {
t.Errorf("#%d runIn (UDP) got=%v want=%v why=%q packet:%v", i, got, test.want, why, test.p) t.Errorf("#%d runIn (UDP) got=%v want=%v why=%q packet:%v", i, got, test.want, why, test.p)
} }
@ -142,8 +142,8 @@ func TestUDPState(t *testing.T) {
acl := newFilter(t.Logf) acl := newFilter(t.Logf)
flags := LogDrops | LogAccepts flags := LogDrops | LogAccepts
a4 := parsed(packet.UDP, "119.119.119.119", "102.102.102.102", 4242, 4343) a4 := parsed(ipproto.UDP, "119.119.119.119", "102.102.102.102", 4242, 4343)
b4 := parsed(packet.UDP, "102.102.102.102", "119.119.119.119", 4343, 4242) b4 := parsed(ipproto.UDP, "102.102.102.102", "119.119.119.119", 4343, 4242)
// Unsollicited UDP traffic gets dropped // Unsollicited UDP traffic gets dropped
if got := acl.RunIn(&a4, flags); got != Drop { if got := acl.RunIn(&a4, flags); got != Drop {
@ -158,8 +158,8 @@ func TestUDPState(t *testing.T) {
t.Fatalf("incoming response packet not accepted, got=%v: %v", got, a4) t.Fatalf("incoming response packet not accepted, got=%v: %v", got, a4)
} }
a6 := parsed(packet.UDP, "2001::2", "2001::1", 4242, 4343) a6 := parsed(ipproto.UDP, "2001::2", "2001::1", 4242, 4343)
b6 := parsed(packet.UDP, "2001::1", "2001::2", 4343, 4242) b6 := parsed(ipproto.UDP, "2001::1", "2001::2", 4343, 4242)
// Unsollicited UDP traffic gets dropped // Unsollicited UDP traffic gets dropped
if got := acl.RunIn(&a6, flags); got != Drop { if got := acl.RunIn(&a6, flags); got != Drop {
@ -178,10 +178,10 @@ func TestUDPState(t *testing.T) {
func TestNoAllocs(t *testing.T) { func TestNoAllocs(t *testing.T) {
acl := newFilter(t.Logf) acl := newFilter(t.Logf)
tcp4Packet := raw4(packet.TCP, "8.1.1.1", "1.2.3.4", 999, 22, 0) tcp4Packet := raw4(ipproto.TCP, "8.1.1.1", "1.2.3.4", 999, 22, 0)
udp4Packet := raw4(packet.UDP, "8.1.1.1", "1.2.3.4", 999, 22, 0) udp4Packet := raw4(ipproto.UDP, "8.1.1.1", "1.2.3.4", 999, 22, 0)
tcp6Packet := raw6(packet.TCP, "2001::1", "2001::2", 999, 22, 0) tcp6Packet := raw6(ipproto.TCP, "2001::1", "2001::2", 999, 22, 0)
udp6Packet := raw6(packet.UDP, "2001::1", "2001::2", 999, 22, 0) udp6Packet := raw6(ipproto.UDP, "2001::1", "2001::2", 999, 22, 0)
tests := []struct { tests := []struct {
name string name string
@ -262,13 +262,13 @@ func TestParseIPSet(t *testing.T) {
} }
func BenchmarkFilter(b *testing.B) { func BenchmarkFilter(b *testing.B) {
tcp4Packet := raw4(packet.TCP, "8.1.1.1", "1.2.3.4", 999, 22, 0) tcp4Packet := raw4(ipproto.TCP, "8.1.1.1", "1.2.3.4", 999, 22, 0)
udp4Packet := raw4(packet.UDP, "8.1.1.1", "1.2.3.4", 999, 22, 0) udp4Packet := raw4(ipproto.UDP, "8.1.1.1", "1.2.3.4", 999, 22, 0)
icmp4Packet := raw4(packet.ICMPv4, "8.1.1.1", "1.2.3.4", 0, 0, 0) icmp4Packet := raw4(ipproto.ICMPv4, "8.1.1.1", "1.2.3.4", 0, 0, 0)
tcp6Packet := raw6(packet.TCP, "::1", "2001::1", 999, 22, 0) tcp6Packet := raw6(ipproto.TCP, "::1", "2001::1", 999, 22, 0)
udp6Packet := raw6(packet.UDP, "::1", "2001::1", 999, 22, 0) udp6Packet := raw6(ipproto.UDP, "::1", "2001::1", 999, 22, 0)
icmp6Packet := raw6(packet.ICMPv6, "::1", "2001::1", 0, 0, 0) icmp6Packet := raw6(ipproto.ICMPv6, "::1", "2001::1", 0, 0, 0)
benches := []struct { benches := []struct {
name string name string
@ -315,11 +315,11 @@ func TestPreFilter(t *testing.T) {
}{ }{
{"empty", Accept, []byte{}}, {"empty", Accept, []byte{}},
{"short", Drop, []byte("short")}, {"short", Drop, []byte("short")},
{"junk", Drop, raw4default(packet.Unknown, 10)}, {"junk", Drop, raw4default(ipproto.Unknown, 10)},
{"fragment", Accept, raw4default(packet.Fragment, 40)}, {"fragment", Accept, raw4default(ipproto.Fragment, 40)},
{"tcp", noVerdict, raw4default(packet.TCP, 0)}, {"tcp", noVerdict, raw4default(ipproto.TCP, 0)},
{"udp", noVerdict, raw4default(packet.UDP, 0)}, {"udp", noVerdict, raw4default(ipproto.UDP, 0)},
{"icmp", noVerdict, raw4default(packet.ICMPv4, 0)}, {"icmp", noVerdict, raw4default(ipproto.ICMPv4, 0)},
} }
f := NewAllowNone(t.Logf, &netaddr.IPSet{}) f := NewAllowNone(t.Logf, &netaddr.IPSet{})
for _, testPacket := range packets { for _, testPacket := range packets {
@ -341,7 +341,7 @@ func TestOmitDropLogging(t *testing.T) {
}{ }{
{ {
name: "v4_tcp_out", name: "v4_tcp_out",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP},
dir: out, dir: out,
want: false, want: false,
}, },
@ -439,73 +439,73 @@ func TestLoggingPrivacy(t *testing.T) {
}{ }{
{ {
name: "ts_to_ts_v4_out", name: "ts_to_ts_v4_out",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP, Src: ts4, Dst: ts4}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP, Src: ts4, Dst: ts4},
dir: out, dir: out,
logged: true, logged: true,
}, },
{ {
name: "ts_to_internet_v4_out", name: "ts_to_internet_v4_out",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP, Src: ts4, Dst: internet4}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP, Src: ts4, Dst: internet4},
dir: out, dir: out,
logged: false, logged: false,
}, },
{ {
name: "internet_to_ts_v4_out", name: "internet_to_ts_v4_out",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP, Src: internet4, Dst: ts4}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP, Src: internet4, Dst: ts4},
dir: out, dir: out,
logged: false, logged: false,
}, },
{ {
name: "ts_to_ts_v4_in", name: "ts_to_ts_v4_in",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP, Src: ts4, Dst: ts4}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP, Src: ts4, Dst: ts4},
dir: in, dir: in,
logged: true, logged: true,
}, },
{ {
name: "ts_to_internet_v4_in", name: "ts_to_internet_v4_in",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP, Src: ts4, Dst: internet4}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP, Src: ts4, Dst: internet4},
dir: in, dir: in,
logged: false, logged: false,
}, },
{ {
name: "internet_to_ts_v4_in", name: "internet_to_ts_v4_in",
pkt: &packet.Parsed{IPVersion: 4, IPProto: packet.TCP, Src: internet4, Dst: ts4}, pkt: &packet.Parsed{IPVersion: 4, IPProto: ipproto.TCP, Src: internet4, Dst: ts4},
dir: in, dir: in,
logged: false, logged: false,
}, },
{ {
name: "ts_to_ts_v6_out", name: "ts_to_ts_v6_out",
pkt: &packet.Parsed{IPVersion: 6, IPProto: packet.TCP, Src: ts6, Dst: ts6}, pkt: &packet.Parsed{IPVersion: 6, IPProto: ipproto.TCP, Src: ts6, Dst: ts6},
dir: out, dir: out,
logged: true, logged: true,
}, },
{ {
name: "ts_to_internet_v6_out", name: "ts_to_internet_v6_out",
pkt: &packet.Parsed{IPVersion: 6, IPProto: packet.TCP, Src: ts6, Dst: internet6}, pkt: &packet.Parsed{IPVersion: 6, IPProto: ipproto.TCP, Src: ts6, Dst: internet6},
dir: out, dir: out,
logged: false, logged: false,
}, },
{ {
name: "internet_to_ts_v6_out", name: "internet_to_ts_v6_out",
pkt: &packet.Parsed{IPVersion: 6, IPProto: packet.TCP, Src: internet6, Dst: ts6}, pkt: &packet.Parsed{IPVersion: 6, IPProto: ipproto.TCP, Src: internet6, Dst: ts6},
dir: out, dir: out,
logged: false, logged: false,
}, },
{ {
name: "ts_to_ts_v6_in", name: "ts_to_ts_v6_in",
pkt: &packet.Parsed{IPVersion: 6, IPProto: packet.TCP, Src: ts6, Dst: ts6}, pkt: &packet.Parsed{IPVersion: 6, IPProto: ipproto.TCP, Src: ts6, Dst: ts6},
dir: in, dir: in,
logged: true, logged: true,
}, },
{ {
name: "ts_to_internet_v6_in", name: "ts_to_internet_v6_in",
pkt: &packet.Parsed{IPVersion: 6, IPProto: packet.TCP, Src: ts6, Dst: internet6}, pkt: &packet.Parsed{IPVersion: 6, IPProto: ipproto.TCP, Src: ts6, Dst: internet6},
dir: in, dir: in,
logged: false, logged: false,
}, },
{ {
name: "internet_to_ts_v6_in", name: "internet_to_ts_v6_in",
pkt: &packet.Parsed{IPVersion: 6, IPProto: packet.TCP, Src: internet6, Dst: ts6}, pkt: &packet.Parsed{IPVersion: 6, IPProto: ipproto.TCP, Src: internet6, Dst: ts6},
dir: in, dir: in,
logged: false, logged: false,
}, },
@ -607,7 +607,7 @@ func raw4(proto ipproto.Proto, src, dst string, sport, dport uint16, trimLength
// UDP marshaling clobbers IPProto, so override it here. // UDP marshaling clobbers IPProto, so override it here.
switch proto { switch proto {
case packet.Unknown, packet.Fragment: case ipproto.Unknown, ipproto.Fragment:
default: default:
u.IP4Header.IPProto = proto u.IP4Header.IPProto = proto
} }
@ -615,7 +615,7 @@ func raw4(proto ipproto.Proto, src, dst string, sport, dport uint16, trimLength
panic(err) panic(err)
} }
if proto == packet.Fragment { if proto == ipproto.Fragment {
// Set some fragment offset. This makes the IP // Set some fragment offset. This makes the IP
// checksum wrong, but we don't validate the checksum // checksum wrong, but we don't validate the checksum
// when parsing. // when parsing.
@ -751,10 +751,10 @@ func TestMatchesFromFilterRules(t *testing.T) {
want: []Match{ want: []Match{
{ {
IPProto: []ipproto.Proto{ IPProto: []ipproto.Proto{
packet.TCP, ipproto.TCP,
packet.UDP, ipproto.UDP,
packet.ICMPv4, ipproto.ICMPv4,
packet.ICMPv6, ipproto.ICMPv6,
}, },
Dsts: []NetPortRange{ Dsts: []NetPortRange{
{ {
@ -776,7 +776,7 @@ func TestMatchesFromFilterRules(t *testing.T) {
name: "explicit_protos", name: "explicit_protos",
in: []tailcfg.FilterRule{ in: []tailcfg.FilterRule{
{ {
IPProto: []int{int(packet.TCP)}, IPProto: []int{int(ipproto.TCP)},
SrcIPs: []string{"100.64.1.1"}, SrcIPs: []string{"100.64.1.1"},
DstPorts: []tailcfg.NetPortRange{{ DstPorts: []tailcfg.NetPortRange{{
IP: "1.2.0.0/16", IP: "1.2.0.0/16",
@ -787,7 +787,7 @@ func TestMatchesFromFilterRules(t *testing.T) {
want: []Match{ want: []Match{
{ {
IPProto: []ipproto.Proto{ IPProto: []ipproto.Proto{
packet.TCP, ipproto.TCP,
}, },
Dsts: []NetPortRange{ Dsts: []NetPortRange{
{ {

9
wgengine/filter/tailcfg.go
Unescape Escape View File

@ -9,16 +9,15 @@ import (
"strings" "strings"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/net/packet"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/ipproto" "tailscale.com/types/ipproto"
) )
var defaultProtos = []ipproto.Proto{ var defaultProtos = []ipproto.Proto{
packet.TCP, ipproto.TCP,
packet.UDP, ipproto.UDP,
packet.ICMPv4, ipproto.ICMPv4,
packet.ICMPv6, ipproto.ICMPv6,
} }
// MatchesFromFilterRules converts tailcfg FilterRules into Matches. // MatchesFromFilterRules converts tailcfg FilterRules into Matches.

7
wgengine/pendopen.go
Unescape Escape View File

@ -14,6 +14,7 @@ import (
"tailscale.com/net/flowtrack" "tailscale.com/net/flowtrack"
"tailscale.com/net/packet" "tailscale.com/net/packet"
"tailscale.com/net/tsaddr" "tailscale.com/net/tsaddr"
"tailscale.com/types/ipproto"
"tailscale.com/wgengine/filter" "tailscale.com/wgengine/filter"
"tailscale.com/wgengine/tstun" "tailscale.com/wgengine/tstun"
) )
@ -68,7 +69,7 @@ func (e *userspaceEngine) noteFlowProblemFromPeer(f flowtrack.Tuple, problem pac
func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.TUN) (res filter.Response) { func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.TUN) (res filter.Response) {
res = filter.Accept // always res = filter.Accept // always
if pp.IPProto == packet.TSMP { if pp.IPProto == ipproto.TSMP {
res = filter.DropSilently res = filter.DropSilently
rh, ok := pp.AsTailscaleRejectedHeader() rh, ok := pp.AsTailscaleRejectedHeader()
if !ok { if !ok {
@ -83,7 +84,7 @@ func (e *userspaceEngine) trackOpenPreFilterIn(pp *packet.Parsed, t *tstun.TUN)
} }
if pp.IPVersion == 0 || if pp.IPVersion == 0 ||
pp.IPProto != packet.TCP || pp.IPProto != ipproto.TCP ||
pp.TCPFlags&(packet.TCPSyn|packet.TCPRst) == 0 { pp.TCPFlags&(packet.TCPSyn|packet.TCPRst) == 0 {
return return
} }
@ -102,7 +103,7 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.TUN
res = filter.Accept // always res = filter.Accept // always
if pp.IPVersion == 0 || if pp.IPVersion == 0 ||
pp.IPProto != packet.TCP || pp.IPProto != ipproto.TCP ||
pp.TCPFlags&packet.TCPSyn == 0 { pp.TCPFlags&packet.TCPSyn == 0 {
return return
} }

3
wgengine/tstun/tun.go
Unescape Escape View File

@ -18,6 +18,7 @@ import (
"github.com/tailscale/wireguard-go/tun" "github.com/tailscale/wireguard-go/tun"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/net/packet" "tailscale.com/net/packet"
"tailscale.com/types/ipproto"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/wgengine/filter" "tailscale.com/wgengine/filter"
) )
@ -340,7 +341,7 @@ func (t *TUN) filterIn(buf []byte) filter.Response {
// Their host networking stack can translate this into ICMP // Their host networking stack can translate this into ICMP
// or whatnot as required. But notably, their GUI or tailscale CLI // or whatnot as required. But notably, their GUI or tailscale CLI
// can show them a rejection history with reasons. // can show them a rejection history with reasons.
if p.IPVersion == 4 && p.IPProto == packet.TCP && p.TCPFlags&packet.TCPSyn != 0 { if p.IPVersion == 4 && p.IPProto == ipproto.TCP && p.TCPFlags&packet.TCPSyn != 0 {
rj := packet.TailscaleRejectedHeader{ rj := packet.TailscaleRejectedHeader{
IPSrc: p.Dst.IP, IPSrc: p.Dst.IP,
IPDst: p.Src.IP, IPDst: p.Src.IP,

4
wgengine/tstun/tun_test.go
Unescape Escape View File

@ -108,8 +108,8 @@ func netports(netPorts ...string) (ret []filter.NetPortRange) {
func setfilter(logf logger.Logf, tun *TUN) { func setfilter(logf logger.Logf, tun *TUN) {
protos := []ipproto.Proto{ protos := []ipproto.Proto{
packet.TCP, ipproto.TCP,
packet.UDP, ipproto.UDP,
} }
matches := []filter.Match{ matches := []filter.Match{
{IPProto: protos, Srcs: nets("5.6.7.8"), Dsts: netports("1.2.3.4:89-90")}, {IPProto: protos, Srcs: nets("5.6.7.8"), Dsts: netports("1.2.3.4:89-90")},

3
wgengine/userspace.go
Unescape Escape View File

@ -35,6 +35,7 @@ import (
"tailscale.com/net/tsaddr" "tailscale.com/net/tsaddr"
"tailscale.com/net/tshttpproxy" "tailscale.com/net/tshttpproxy"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/ipproto"
"tailscale.com/types/key" "tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
@ -462,7 +463,7 @@ func (e *userspaceEngine) isLocalAddr(ip netaddr.IP) bool {
// handleDNS is an outbound pre-filter resolving Tailscale domains. // handleDNS is an outbound pre-filter resolving Tailscale domains.
func (e *userspaceEngine) handleDNS(p *packet.Parsed, t *tstun.TUN) filter.Response { func (e *userspaceEngine) handleDNS(p *packet.Parsed, t *tstun.TUN) filter.Response {
if p.Dst.IP == magicDNSIP && p.Dst.Port == magicDNSPort && p.IPProto == packet.UDP { if p.Dst.IP == magicDNSIP && p.Dst.Port == magicDNSPort && p.IPProto == ipproto.UDP {
request := tsdns.Packet{ request := tsdns.Packet{
Payload: append([]byte(nil), p.Payload()...), Payload: append([]byte(nil), p.Payload()...),
Addr: netaddr.IPPort{IP: p.Src.IP, Port: p.Src.Port}, Addr: netaddr.IPPort{IP: p.Src.IP, Port: p.Src.Port},

Write Preview
Loading…
Cancel
Save